Cascaded Phishing and MFA Spray Attacks Dominate 2025 Threat Landscape, Cisco Talos Reports
Cisco Talos reports that phishing remained the top initial access vector in 2025, with attackers increasingly using cascaded campaigns from compromised trusted accounts and abusing Microsoft 365 Direct Send to spoof internal emails.
Cisco Talos has released its 2025 Year in Review report, revealing that phishing remained the dominant initial access vector, used in 40% of incidents. Attackers have refined their techniques, moving beyond simple spam to highly targeted cascaded phishing campaigns that leverage compromised trusted accounts to launch lures against partners and third parties. The report highlights a significant shift in email composition, with attackers crafting workflow-style emails mimicking IT, travel, and expense processes to lower employee vigilance.
A key technical abuse identified is the exploitation of Microsoft 365 Direct Send, a feature designed for networked devices like printers to deliver documents internally. Attackers used Direct Send to spoof internal email addresses, bypassing external email scrutiny and delivering convincing lures from within the organization without compromising real accounts. This technique allowed them to target key services and cause high-impact damage, as internal messages often receive less rigorous filtering.
MFA and identity attacks also surged, with nearly a third of MFA spray attacks targeting identity and access management (IAM) systems. Attackers exploited authentication workflows to steal single sign-on (SSO) tokens and modify MFA policies, turning IAM tools into points of failure. Device compromise attacks skyrocketed by 178%, largely driven by voice phishing that tricked administrators into registering malicious devices.
The report notes that attack strategies varied by sector. MFA spray attacks were effective against networks with predictable identity behavior, while device compromise thrived in environments with diverse, unmanaged, or high-turnover device ecosystems. Higher education was the most targeted sector for device compromise due to its large population of unmanaged devices, poor patching, and weak new-device verification policies. Conversely, higher education was less susceptible to MFA spray attacks because of varied passwords and strong login portal policies.
Cisco Talos provides guidance for defenders, emphasizing the need to block external IPs from using Direct Send, enabling Microsoft's 'Reject Direct Send' control, and tightening SPF/DMARC enforcement. For MFA protection, they recommend strong lockout policies, good password hygiene, and conditional access. Against device compromise, they advise better device hardening, session controls, and phishing-resistant MFA with enrollment governance. The full report includes detailed breakdowns of targeted tools and sectors.